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Disclaimer 



Information in this document is provided in connection with 
Hewlett-Packard Company products. No license, express or 
implied, by estoppel or otherwise, to any intellectual property 
rights is granted by this document. Except as provided in 
Hewlett-Packard Company's Terms and Conditions of Sale for 
such products, Hewlett-Packard Company assumes no liability 
whatsoever, and Hewlett-Packard Company disclaims any 
express or implied warranty, relating to sale and/or use of 
Hewlett-Packard Company products including liability or 
warranties relating to fitness for a particular purpose, 
merchantability, or infringement of any patent, copyright or 
other intellectual property right. Hewlett-Packard Company 
products are not intended for use in medical, life saving, or life 
sustaining applications. 

Hewlett-Packard Company may make changes to specifications 
and product descriptions at any time, without notice. 

This Hewlett-Packard VPN Server Appliance SA3110/SA3150/ 
SA3400/SA3450 Installation Guide, as well as the software 
described in it is furnished under license and may only be used 
or copied in accordance with the terms of the license. The 
information in this manual is furnished for informational use 
only, is subject to change without notice, and should not be 
construed as a commitment by Hewlett-Packard Company. 
Hewlett-Packard Company assumes no responsibility or liability 
for any errors or inaccuracies that may appear in this document 
or any software that may be provided in association with this 
document. 

Except as permitted by such license, no part of this document 
may be reproduced, stored in a retrieval system, or transmitted 
i n any form or by any means w ithout the express w ritten consent 
of Hewlett-Packard Company. 

Copyright © Hewlett-Packard Company 2001. 
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Statement of Compliance for the HP VPN 
Server Appliance SA3110 

This product follows the provisionsof the European Directive 
1999/5/EC. 

Dette produkt er i overensstemmelse med det europaeiske 
direktiv 1999/5/EC 

Dit product is in navolging van de bepalingen van Europees 
D i recti ef 1999/5/EC. 

Tamatuote noudattaa EU-direktiivin 1999/5/EC maarayksia. 

Ce produitestconforme aux exigences de la Directive 
Europeenne 1999/5/EC. 

Dieses Produkt entspricht den Bestimmungen der Europaischen 
Richtlinie 1999/5/EC 

Q' 5ni uif aoou 5e9n B 666 5 n IaeY0ae6 696 A5nu5aueK> 
I aeaffi61999/5/AC. 

Pessi vara stenst reglugerS Evropska Efnahags Bandalagsins 
numer 1999/5/EC 

Questo prodotto e conformealla Direttiva Euro pea 1999/5/EC. 

Dette prod ukteter i henholdtil bestemmelsene i deteuropeiske 
direktivet 1999/5/EC. 

Este produto cumprecom as normas da Diretiva Europeia 1999/ 
5/EC. 

Este producto cumple con las normas del Directivo Europeo 
1999/5/EC. 

Denna produkt har tillverkats i enlighet med EG-direktiv 1999/5/ 
EC. 
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Purpose The purpose of this Installation Guide isto provide you with 

installation instructions for Release 6.8.2 of the HP VPN Server 
Appliance SA3110/SA3150/SA3400/SA3450.Theterm VPN device 
is used in this document to refer to all of these devices. 



Overview This manual contains six chapters and one appendix that tell 

you: 

• System hardware and software requirements for your VPN 
device 

• The function of each required component of your VPN 
device 

• Installation instructions for each of the components of the 
VPN device 

• Upgrade instructions for your VPN device 

• Supplementary procedures for the VPN device 



Chapter and 

Appendix 

Contents 



The following list describes the contents and purpose of each 
chapter, and the appendix. 

1. Getting Started 

This chapter gives an overview of the structure of this 
manual and explains the function of each installation 
component. 

2. Before You Install 

This chapter lists the system hardware and software 
requirements for installing the VPN device and gives an 
overview of installation prerequisites and steps. 

3. Performing the Initial Hardware Setup 

This chapter tells you how to perform the initial hardware 
setup, connect your VPN deviceto the network, and setup a 
basic routing mode or bridge mode configuration on a new 
VPN device. 

4. Installing HP SA3000 Series VPN Manager 

This chapter tells you how to install the VPN Manager 
software on your PC, create a device list with entries for your 
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VPN device, add your VPN device (meaning that the VPN 
Manager software "sees" the device, and knows it is 
accessible), and save your VPN device list and configuration 
information to a file. 

5. Installing HP SA3000 Series VPN Client 

This chapter tells you how to install the VPN Client software 
on your PC. 

6. Supplementary Procedures 

This chapter gives instructions for the following procedures: 

• Installing or Replacing theX.21 or V.35 Serial Card inthe 
VPN device 

• Using the copy command 

• Capturing a terminal emulation session as text 

• Viewing a terminal emulation session 

• Deleting the current VPN device configuration 

• Reconfiguring the VPN device 

• Viewing the IP configuration 

• Using Telnet 

7. Appendix— Network Infrastructure Checklists 

Thisappendix provides checklist tables to complete, to help 
you gather all your network information together, beforeyou 
install your VPN device. 



1-2 



Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide 



Required Components of a VPN Device 

Required Components of a VPN Device 

There are three primary required components for a new VPN 
device: 

• VPN device 

• VPN Manager 

• VPN Client 

This section explains the functions of each of these three 
primary components. 

F unctions Of the The VPN device is a hardware/software security system that 
VPN Device processes data packets as they pass between the public side and 

the private side of a network. 

The device can be added to your network as the primary firewall, 
work in conjunction with an existing firewall, function as a 
bridge, work in conjunction with routers, and in conjunction 
with more than one VPN device can be used for load balancing 
and redundancy for VPN Client connections. 

The VPN device performs three major functions: 

• At the communications level, the VPN device can act either 
as an IP router or as an I P bridge; that is, it operates at layer 
3, not layer 2. 

• As a packet encryptor, the VPN device can selectively 
encrypt and decrypt data based on source and destination 
addresses and ports. This provides the flexibility of sending 
both encrypted and clear data using the same infrastructure, 
without compromising your centrally managed security 
policy. 

• As a firewall, the VPN device can be used as a packet filter 
and astateful inspection proxy.TheVPN device goes further 
than traditional firewalls, however, by adding authentication 
to the creation of tunnels, which allows the creation of truly 
secure virtual private networks for VPN tunnels that 
terminate outside the firewall. 



F unctions Of VPN Manager is a graphical tool, based in any Win32 operating 

VPN Manager system, including Windows 9x, Windows NT, or Windows 2000, 

that lets you configure the VPN device. It enables administrators 
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to centrally manage multiple VPN devices across multiple sites 
within a network. 

VPN Manager also works with the external authentication 
servers that define and grant access to VPN Client users. 



Functions Of VPN Client is a software-based package that allows for 

VPN Client encryption in cooperation with the Windows 95, Windows 98, 

Windows 2000, or Windows NT TCP/IP stack. This configuration 
permits true virtual private networking and allows you to form 
encrypted tunnels to other VPN device series products. This 
provides desktop-to-gateway security within a local area 
network or across any wide area network. 

Because all HP VPN products operate at the network layer, the 
VPN Client is completely transparent to users and works with 
most applications. Users can dial in to any Internet service 
provider (ISP) and use the VPN Client to create a secure channel 
back to your network, which eliminates the need for expensive 
dial-in equipment and toll-charges. 

The VPN Client allows you to create and configure tunnels 
through which encrypted data can travel safely without risk of 
tampering. After connecting to your local ISP or company LAN, 
only the IP traffic that the VPN Client is configured to process 
passes down the tunnel to the opposing VPN device. All other IP 
activities, such as Web browsing, cannot pass down the tunnel 
unless the VPN Client determines otherwise. 
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This section lists the system hardware and software 
requirements for installing each of the following: 

• VPN device 

• HP SA3000 Series VPN Manager, Release 6.8.2 

• HP SA3000 Series VPN Client, Release 6.8.2 

VPN Manager The hardware and software requirements for VPN Manager 
Requirements Release 6.8.2 include: 

• PC or PC-compatible desktop computer 

• Windows 95 (B) or OSR2, Windows 98, Windows NT 4.0, or 
Windows 2000 (Workstation or Server version with Service 
Pack 4, minimum, for year-2000 capability) running on: 

— Intel Pentium® 100 MHz (minimum) processor perfor- 
mance level or better 

— At least 5 MB of free disk space 

— At least 32 MB of RAM 

— Supportfor Winsock 2.0 

The hardware and software requirements for HP SA3000 Series 
VPN Client Release 6.8.2 include: 

• PC or PC-compatible desktop computer 

• Windows 95 (B) or OSR2 or Windows 98 running on: 

— Intel Pentium 90 MHz (minimum) processor or better 

— At least 5 MB of free disk space 

— At least 32 MB of RAM 

— Dial-Up Networking Release 1.3 or later 

— Support for Winsock 2.0 (required for protocol 99 and 
IP Sec features) 

• Windows NT 4.0 (Service Pack 4 or later) running on: 

— Intel Pentium 90 MHz (minimum) processor or better 

— At least 5 MB of free disk space 

— At least 32 MB of RAM 

• Windows 2000 Professional running on: 



VPN Client 
Requirements 
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— Intel Pentium 133 MHz (minimum) processor or better 

— 2 GB hard drive with 650 MB minimum freedisk space 

— 64 MB minimum RAM 
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Installation Overview 

The following flowchart provides an overview of the installation 
process for your VPN device: 



Refer to the Installation 

Complete preinstallation requirements Preparation Checklist in 

Chapter 2 



I 

Perform the initial hardware setup Refer to Chapter 3 

I 



Set up a basic routing mode configuration R f r t Ch t r3 

and connect the device to the network " ^ 

Y 

Install and configure the _ . , rh „„ t „, . 

VPN Manager software Reier to Chapter 4 



I 



install and configure the Refer to Chapter 5 

VPN Client software 



Related Info Installation Preparation Checklist (page 2-4) 
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Installation Preparation Checklist 

Before you install the VPN device, complete the following tasks: 

Map outyour current network topology, and determine IP 

addresses and default gateways. Having the IP address scheme 
already decided helps you configure the unit. 

Refer to the Appendix, "Network Infrastructure Checklists," 
for checklists to complete on your network's infrastructure. 
The checklists can help you gather the network information 
you need to complete the VPN device installation. 

The VPN devices can be integrated into your existing 
network in a variety of configurations. However, when these 
devices are added to an existing network, 80 percent of 
network administrators use one of the following 
configurations: 

• One-Armed Router Configuration 

• I n-Line Router Configuration 

• In-Parallel Configuration 

For more complete information on these configurations, see 
the Network Layout Reference Guide. 

Before you perform the initial hardware setup, you must 

have the following information and terminal emulation program 
available: 

• Serial communication port number on your computer to 
which the console cable is connected and the IP address of 
the device 

• IP and subnet mask addresses for the two Ethernet 
interfaces 

• Default gateway IP address for the device 

• Terminal emulation program such as HyperTerminal to 
communicate with a VPN device when the device is in a 
factory-default state 

If the VPN device is behind your firewall, provide UDP 2233, 

for IPSec, or protocol 99, for access to the device from the 
I nternet and, if you use certificate authentication, provide UDP 
10027 for the X.509 certificate authority through your firewall. 
For information on how to configure your firewall, please 
contact the manufacturer. 
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If you use a different subnet when creating site-to-site 

tunnels, make the proper routing changes for your organization. 
For example, if your internal network is 10.0.0.0 and you assign 
an incoming address from 192.168.x.x, all internal routers must 
be configured to send all 192.168.0.0 traffic to the VPN device. 
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Performing the Initial Hardware Setup 

In this chapter, you complete the following tasks: 

1. Physically connect the supplied DB-9 cable to your VPN 
device and your PC. 

2. Check power supply voltage setting. 

3. Turn on the VPN device. 

4. Create a console window with your terminal emulation 
program. 

5. Establish an initial session between your PC and your VPN 
device. 

6. Run your setup script. 

7. Configure Syslog for troubleshooting. 

8. Connect your device to the network. 

Next Step Preparing to Configure a New VPN Device (page 3-2) 
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Preparing to Configure a New VPN Device 

A set of keys is packed in the shipping container. These are 
universal keys that fit any HP VPN device. Keep the keys in a safe 
place. It is not necessary to lock the device. 

In preparation for configuring your new VPN device, you must 
complete the following tasks: 

1. Insert the flash card into the device. 

2. Connect the supplied DB-9 cable to your device. 

3. Set power supply voltage. 

4. Turn on the device. 

5. Create a console window with your terminal emulation 
program. 

When the VPN device is in a factory-default state, the only way 
to communicate with it is through the console cable. You run the 
console cable between the serial port on the device and the 
serial port on the computer on which you wantto have the 
console window. 

After you make the physical connection, you open a console 
window so you can run the setup script to configure the new 
device. 



I nserting the Packed inside the shipping container is a flash card. To insert the 

Flash Card flash card into the VPN device: 

1. Unwrap the flash card. 

2. Open the front panel of the device by twisting the lock 
mechanism clockwise. 

The front panel drops down. 

3. Insert the flash card vertically in the flash card receptacle. 

4. Close the front panel. 

5. Secure the front panel by twisting the lock mechanism 
counterclockwise. 
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Connecting the To connect the cable and turn on the device: 

Cable and \ Connectthesupplied DB-9consolecabletotheconsoleport 

PoweringOn the oftheVPN device and to the COM porton your PC. Makea 

Device " note °f tne communication port number on your PC. 

2. E nsure that the voltage switch is set to the proper voltage 
used in your environment. 

3. Plug in the power cable. 

4. Turn on the VPN device by setting the power switch to the 1 
(one) position. 

Creating a To create a Console window: 

Console i. | n the Start menu: 

Window . For NT systems, select Programs, then Accessories, then 

HyperTerminal. 

• For Windows 98 systems, select Programs, then 
Accessories, then Communications, then 
HyperTerminal. 

The HyperTerminal window appears. 

2. In the File menu, select New Connection. 
The Connection Description window appears. 

3. In the Name field, enter a name for the session. The Hewlett- 
Packard Company recommends that you call the session 
Console. 

4. I n the Icon list box, select an icon to representthe session on 
your desktop. 

5. Click OK. 

The Phone Number window appears. 

6. In the Connect drop-down menu, select Direct to Com N, 
where N isthe number of the serial port to which you 
connected the console cable. 

7. Click OK. 

The COM N Properties window appears. 

8. In the Bits per second drop-down menu, select 9600. 

9. In the Flow control drop-down menu, select None. 
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10. Click OK. 

You return to the terminal emulation program window, 
where the cursor is blinking in an otherwise blank white 
screen. You now have an active console session and can 
communicate from your computer to the device. 



Next Step SettingUpaBasicRoutingModeConfigurationonaNew Device 

(page 3-4) 
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Setting Up a Basic Routing Mode 
Configuration on a New Device 

I n this section, to set up a basic routing mode configuration, you 
complete the following tasks: 

• Establish an initial session between your PC and your VPN 
device. 

• Run your setup script. 



Prerequisites Before you set up a basic routing mode configuration you must 

have gathered the following information and completed the 
following tasks: 

• You must have created a console window before setting up 
the device. Seethe previous section, "Preparing to Configure 
a New VPN device." 

• You must know the IP address and subnet mask for the red 
Ethernet interface E Oand for the black Ethernet interface E 1 
and the IP address for the default gateway. 

• You want the device to be in normal mode before you start 
configuring it through the setup script. Allow the device 60 
seconds to boot through safe mode into normal mode. After 
60 seconds, enter the command enable. 



Establishing an To set up the basic configuration of the VPN device, first 
I nitial Session establish a session between your PC and the device: 

1. Ensure that the power switch on the device is in the 1 (one) 
position. 

2. At your desktop, open the Console window. 
This window is empty. 

3. To capture the session to a file, select Transfer, then select 
Capture Text. 

4. In the File menu, select Save. 
The Save window appears. 

5. In the Save in field, select the folder in which you want to 
keep the session file. 
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6. In the File name field, select the file name you want to give 
the session file. 

7. Click Save. 

You return to the HyperTerminal window. 

8. Press Enter three times. 

The license agreement appears in the Console window. 

9. Press the space bar or press Enter to scroll through the 
license agreement. 

10. To accept the license agreement terms, press Y. 

This creates a file called I icense.txt that tells the operating 
system to forego displaying the license agreement the next 
time that the VPN device starts. 

Next, a name-and-state prompt si mi lar to this one appears on 
the screen: 

hostname : SAFE> 

11. Wait 60 seconds. 

The device changes from safe mode to normal mode. The 
device must be in normal mode before you run the setup 
script for it. 

12. At the name-and-state prompt, enter enable. 
A password prompt appears on the screen. 

13. At the password prompt, enter admin. 

The default password from the factory is admin in all 
lowercase letters. 

Note: Passwords are case sensitive. 

As you enter the password, a row of asterisks (*) appears. 
When the VPN device accepts the password, the word 
Passed appears on the screen. Then the name-and-state 
prompt appears again: 

hostname : NORMAL # 
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Running the You run the setup script to configure your new VPN device. 

Setup Script Notes: 

1. You cannot communicate with a device from VPN Manager 
until you run the setup script. 

2. Do not run the setup scripton a devicethat has already been 
configured. 

3. Words shown in square brackets provide examples of the 
required information. They are not defaults. 

4. Everytimeyou run the setup script, you must complete each 
of the following steps 1-14. 

To run the setup script: 

1. To get into setup mode, at the name-and-state prompt, enter 

setup. 

The prompt changes to the following: 

hostname (setup) # 

Note: The word "setup" in parentheses means that you are 
in setup mode. 

2. To set the host name of the device, at the prompt, enter the 
name you want to call the device. For example, if you want 
to call the device vpnl, enter vpni atthe following prompt 

Enter Hostname [hostname]: 

Hostnames are case sensitive. 

The following message appears: 

Bridge Mode On (Y/N) 

3. Enter n to disable bridge mode and set the device to routing 
mode. 

4. Atthe prompt, enter the IP address for the red (private) 
Ethernet interface EO. 

5. At the prompt, enter the subnet mask for the red (private) 
Ethernet interface EO. 

6. At the prompt, enter the IP address for the black (public) 
Ethernet interface El. 

7. Atthe prompt, enter the subnet mask for the black (public) 
Ethernet interface El. 
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8. At the prompt, enter the I P address for the default gateway. 

The default gateway is the gateway that provides a route to 
the I nternet. The VP N Gateway does not support Routi ng 
Information Protocol (RIP) or any other form of dynamic 
routing table updates. All other routing information must be 
configured statically using the command shell (through the 
console window) or VPN Manager. 

9. To set the Manager Password, enter pas sword. 

Note: Only the VPN Manager uses this password. It is not 
used for Telnet, nor is it the console password; it is used as 
an encryption key to encrypt communications between the 
VPN Manager and the device. The factory-default manager 
user name is admin. 

Note: Passwords are case sensitive. 

10. To set the time zone of the device, enter the time zone with 
respect to Greenwich Mean Time. For example, to set the 
time zone for Boston, enter: 

timezone est 5 edt 

11. To set the VPN device's clock, enter the year, month, day, 
hour (in 24-hour format), minute, and second. For example, 
to set the system clock to December 31, 2000, at 2:18 p.m., 
enter the following responses for year, month, day, hour, 
minute, and second: 

00 12 31 14 18 00 

The device now asks you if you want to save the setup 
entries. 

12. At the prompt, enter y. 

13. Test the interfaces using ping. At the prompt, enter ping and 
the f u 1 1 IP add ress of the E 0 i nterf ace. 

ping 10.1.1.2 255.255.255.0 

The device informs you of the success of the ping. 

Note: The initial ping has a success rate of 80 percent as the 
device must use the Address Resolution Protocol (ARP) to 
resolve the physical address of the destination IP address. 

14. At the prompt, enter ping and the full IP address of the El 
interface: 
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ping 10.1.2.2 255 .255 . 0 

The device informs you of the success of the ping. 

The setup script is now complete. The initial configuration is set 
on the new VPN device. 

Next Step Using Bridge Mode With the VPN Device (page 3-8) 
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Using Bridge Mode With the VPN Device 

The VPN device has two basic operating modes: 

• router 

• bridge 

VPN devices areusuallydeployed as routers, which isthedefault 
configuration. In certain network topologies, however, it is 
advantageous to configure a VPN device in bridge mode. The 
difference between router and bridge mode is how the VPN 
device is assigned IP addresses and how the VPN device handles 
Address Resolution Protocol (ARP) requests that it picks up on 
the network. 

Note: Switching from bridge mode to router mode or from 
router mode to bridge mode requires you to rebootthe VPN 
device. 



Router Mode 

Address 

Assignment 



In router mode, each physical interface on the VPN device must 
be assigned an address from a different subnet. For example, 
EthernetOcould be assigned 192.168.1.1 and Ethernetlcould be 
assigned 172.16.1.1. 

Use the interface command when you assign addresses to a 
VPN device that operates in router mode. To assign the 
addresses from thecommand line, use the following format: 



hostname: NORMAL* config 



hostname [config] 

hostname [config] 
address 192.168.1 

hostname [config] 
interface e 1 



NORMAL # interface 

[int e 0] : NORMAL* 
1 255.255.255.0 

[int e 0] : NORMAL* 



hostname [config] [int e 1] : NORMAL* 
address 176.16.1.1 255.255.255.0 



e 0 
ip 



ip 



hostname [config] [int e 
hostname: NORMAL* write 



1] : NORMAL* end 
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IP Bridge Mode In IP bridge mode, all physical interfaces on the VPN device are 

Address assigned the same IP address. Usethebridge command when 

Accinnmenl- vou assi 9 n an address to a VPN device that operates in bridge 

Rssiyiiiiieni mode To assign |p address 10.1.1.1 mask 255.255.255.0 from the 

command line, use the following format: 

hostname: NORMAL* config 

hostname [config]: NORMAL # bridge 10.1.1.1 
255 . 255 . 255 . 0 

hostname [config] : NORMALt end 
hostname: NORMALt write 



Configuring I P To configure I P bridge mode from VPN Manager, in the 
Bridge M Ode Configure Device window for the VPN device, on the Interfaces 

tab, select Bridge Mode in the Interface drop-down menu, and 
select the Enable Bridging Mode check box. Bridge mode 
command overrides the interface command. 

To disable bridge mode from VPN Manager, in the Configure 
Devices window for the VPN device, on the Interfaces tab, clear 
the E nable Bridging Mode check box. The VPN device reverts to 
router mode, using the IP addresses assigned in the interface 
commands. 

Note: Using the interface command to assign the same 
address to more than one physical interface on a VPN device 
causes severe network congestion on your network. 



ARP Request WhenaVPN devicepicksupan ARP request packet on one of its 

Handling interfaces, it handles the request in one of several ways, 

depending on the mode of operation. 

As a router, the VPN device ARP responds under the following 
conditions: 

1. The ARP request is for an address that has been assigned to 
an interface on the VPN device. 

2. The ARP request is for an address that has been assigned to 
a remote user tunnel as a client IP. 

I n router mode, the VP N device does not retransmit broadcast 
traffic from one interface to another interface. 
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As a bridge, the VPN device ARP responds under the following 
conditions: 

1. The ARP request is for an address that has been assigned to 
an interface on the VPN device. 

2. The ARP request is for an address that has been assigned to 
a remote user tunnel as a client IP. 

3. The ARP request is for an address that is currently in the VP N 
device device's ARP cache for an interface other than the 
interface where the ARP request was picked up. 

4. If the ARP request isfor an address that is not in the VPN 
device device's ARP cache for any of its interfaces, then the 
VPN device broadcasts a new ARP request out of all 
interfaces except for the interface where the original ARP 
request was picked up. If a device responds to the VPN 
device, the VPN device creates a new entry in its ARP cache 
and behaves as in condition 3 in the preceding paragraph. 

Note: ARP requests and responses can become a significant 
percentage of your network traffic if the devices on your 
network are misconfigured. 

When Bridge A VPN deviceshould beconfiguredasabridgeifyou weregoing 

M Ode Should Be t0 connect two physically separate network segments that 
m _ ef j contain devices in the same logical subnet. This is often the case 

when the VPN device is going to be connected between an 
existing firewall and a corporate network (referred to as inline 
configuration in the Hewlett-Packard VPN Server Appliance 
SA3110/SA3150/SA3400/SA3450 Network Layout Reference 
Guide). 

Note: The mode of operation of the VPN device does not affect 
the firewall or tunneling functionality of the VPN device. The 
physical interfaces of the VPN device can still be designated as 
black and red, and firewall rules can still be defined to allow or 
disallow IP traffic. 

Next Step Connecting the Device to the Network (page 3-12) 
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Connecting the Device to the Network 

In this section, you connect your VPN device to the network 
behind your firewall. 



1. Turn the device off before connecting network cables. 

2. Connect the supplied Ethernet cables to the Ethernet 
interfaces. 

3. Connect your Ethernet LAN cables to the shielded cables. 

4. Turn the device on. 

Once you have connected your VPN device to the network 
behind your firewall, configure the device using VPN 
Manager included on the CD-ROM. Follow the instructions in 
the next chapter, "Installing VPN Manager." 



Steps 



To connect the VPN device to the network: 



Next Step 



Configuring Syslog for Troubleshooting (page 3-13) 
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Configuring Syslog for Troubleshooting 

Syslog is a utility you can activate through the console window 
or VPN Manager to help troubleshoot problems when running 
your VPN device. 

This section explains how to use Syslog to view debugging 
messages. 



Checking Syslog Syslog's levels of logging problems run from 0 (the factory 
Level ~ ** default) to 7, with 0 being most basic (emergency messages 

~ "* *"" only) and 7 being the most specific. You can select the level of 

debugging messages you want to use. 

To check which level of specificity Syslog is set to on your 
device, enter show syslog at the console window prompt. One 
of the lines of text returned by factory-default-mode Syslog is 

syslog priority all 0. 

To set Syslog to level 7, in the console window (or, through a 
Telnet session, see "Using Telnet" in Chapter 7): 

1. Atthe VPN prompt, enter config. 

2. Atthe VPN prompt, enter syslog priority all 7. 

3. Atthe VPN prompt, enter end. 

4. Atthe VPN prompt, enter write. 



Activating or To start displaying Syslog debugging messages, atthe VPN shell 

Deactivating enable prompt, enter debug all. 

Syslog Messages To stop displaying Syslog debugging messages, atthe VPN shell 

enable prompt, enter debug ail delete. 



Syslog Online For more extensive information on customizing your use of 
Help ~" Syslog, consultthe section in the VPN Manager online Help 

entitled "Configuring Syslog." Some examples of customized 

Syslog usage are: 

• Setting Syslog to display tunnel messages by entering 

syslog priority tunnel 7 

• Setting Syslog to display certificate messages by entering 

syslog priority certificate 7 
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Next Step Installing VPN Manager (page 4-1) 
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Installing HP SA3000 Series VPN Manager 

Overview to Installing HP SA 3000 Series VPN Manager 

Installing VPN Manager 

Adding a VPN Device With VPN Manager 

Saving New Device Information to a Configuration File 
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Overview to Installing HP SA3000 Series 
VPN Manager 

In this chapter, you complete the following tasks: 

1. Install the HP SA3000 Series VPN Manager software. 

2. Add your VPN device (meaning that the VPN Manager "sees" 
the device and knows it is accessible). 

3. Create a device list. 

4. Save the device list. 

5. Save your VPN device configuration information to a file. 
Next Step Installing VPN Manager (page 4-2) 
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Installing VPN Manager 

In this section, you install VPN Manager on your PC. 

Steps To install VPN Manager on your PC: 

1. PlacetheVPN ManagerCD-ROM into the CD-ROM drive bay. 
The VPN ManagerCD-ROM menu appears. 

Note: If the VPN ManagerCD-ROM menu does not automat- 
ically appear, use your file browser to locate the installation 
files on the VPN Manager CD-ROM. Double-click the 
setup.exe program to begin the installation procedure. 

2. In the VPN ManagerCD-ROM menu, select Install VPN 
Manager. 

The Installation Wizard begins. 

3. To advance to the licensing information screens, click Next. 

4. To continue the installation, click Yes. 

A window prompts you for your user information. 

5. Enter your user name and company name, then click Next. 

The next installation window displays the default directory 
for the program files. 

6. To accept the default directory, click Next. 
Setup adds an icon to the Program Folder. 

7. To accept the Hewlett-Packard Company VPN folder name, 
click Next. 

The software begins to install. Then a window asks you if 
you would like to have a shortcut created on your desktop. 

8. To create a shortcut, click Yes. 

9. To complete the installation, click Finish. 

Files are stored in the default directory. 

You can modify the directory name during installation (refer to 
step 6 in the preceding list of steps). This directory contains the 
executable file and an encrypted binary file that stores the 
names and IP addresses of all the VPN devices on your network. 
Be sure to back up this file on a regular basis. 
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When you double-click the VPN Manager icon on your desktop, 
the VPN Manager application starts, and you are prompted for a 
password when opening the encrypted device list file. 



Next Step Adding a VPN device With VPN Manager (page 4-4) 
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Adding a VPN Device With VPN Manager 

In this section, you add your VPN device, so that VPN Manager 
knows the device is accessible. 



Steps To add your device: 

1. Open the VPN Manager software. 

2. In the File Menu, select Add Device. 
The Add Device window appears. 

3. Enter the IP address of the device. 

Note: Because a VPN device can have many IP addresses, 
you must enter an IP address on the same local network as 
VPN Manager, that is, a reachable address. 

4. In the Host Name field, enter the Host Name of the device. 

By default, VPN Manager reads the host name that you 
already configured on the device through the console 
window. If you do not want to change the host name, leave 
this field blank. If you do change the host name, click 
Commit to update the configuration. 

5. In the Folder field, select the device list/network layout in 
which you want the device information to reside. 

If you select All Devices, the device is placed in the All 
Devices folder. 

Note: After you add a device, you can create a new device 
list/network layout folder by selecting Add Folder in the File 
menu. 

6. In the User Name field, enter admin. 

This is the default user name from the setup script, and is 
required. Note that it is case sensitive. 

Note: You can change the default user name by creating 
other Manager user names in the General tab. 

7. In the Password field, enter password. 

This is the same administrator password that you set when 
you ran the setup script in the basic routing mode 
configuration. (See "Setting Up a Basic Routing Mode 
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Configuration on a New Device" in Chapter 3 of this 
document.) 

8. In the Reenter to confirm field, enter the password again. 

9. Click Add. 

The VPN Manager now displays the device in the color red. 
When the device appears in green, the device is in normal 
mode, and you can configure it. 

10. Double-click the device to configure it. 

The Configure Device window appears, displaying tabs. If 
the device does not open, see Checking Setup in the online 
Help. 

11. In the Device Details list box, select the device. 

12. In the File menu, select Save As. 
The Save As window appears. 

13. In the File name field, enter a name for the file. 

The VPN Manager attaches a .imn extension to the file name 
that you specify. 

14. Click Save. 

15. Click Add. 

You return to the VPN Manager main window. 

16. In the Configure menu, select Login Password. 
The Set Login password appears. 

17. In the New Password field, enter your Manager Password. 

18. In the Reenter to confirm field, reenter your password. 

19. Click Okay. 

You return to the VPN Manager main window. 

Note: You must create a password for VPN Manager if the 
following message appears: 

Thisnetwork layout has no password. Please enter one in the 
Configure Manager dialog box. 

See "Adding a Device" in VPN Manager's online Help. 
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Next Step Saving New Device Information to a Configuration File (page 4- 

7) 
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Saving New Device Information to a 
Configuration File 

In this section, you save the configuration information you 
entered in the preceding section, "Adding a VPN Device With 
VPN Manager," to a file. 



Steps To save your configuration information to a file: 

1. In the Configure menu, select Manager, then select 
Password. 

The VPN Manager window appears. 

2. E nter and reenter the password to conf i rm it. 

Note: This password is for the device list only and is not 
related to the password you entered when you initially ran 
the Setup Script (Chapter 3, "Setting Up a Basic Routing 
Mode Configuration on a New Device"). 

It is also unrelated to the password you entered in the 
preceding section, "Adding a VPN Device With VPN 
Manager," when you created a .imn extension file. 

For more complete information about the passwords used 
with your VPN device, see VPN Manager online Help, under 
"passwords: about passwords." 

3. Click OK. 

You return to the VPN Manager main window. 

4. In the File menu, select Save As. 
The Save As window appears. 

5. Enter a file name. 

6. Click Save. 

The file is available immediately for use. 



Next Step Overview to Installing HP SA3000 Series VPN Client (page 5-1) 
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Installing HP SA3000 Series VPN Client 

Overview to Installing HP SA3000 Series VPN Client 

Installing VPN Client 

Configuring the VPN Clientfor a Basic Tunnel 
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Overview to Installing HP SA3000 Series 
VPN Client 

In this chapter, you complete the following tasks: 

• Install the HP SA3000 Series VPN Client 

• Configure the VPN Client software for a basic tunnel 

Prerequisites Using Windows 95 (Gold or A) Versions 

Because Windows 95 Gold and Windows 95A use DU N 1.0, these 
releases do not support data to transfer over tunnels established 
overPPP dial-upconnections. Windows95B (OSR2) orWindows 
95 C (OSR3) releases work successfully. To view your Windows 
95 version, select System Properties. 

If you use Windows 95 Gold or Windows 95A, follow these steps 
to upgrade to DUN 1.3 before you install the VPN Client: 

1. Install the Windows 95 Dial-Up Networking (DUN) 1.3 
upgrade. To obtain this upgrade, using your browser, go to 
URL 

http://support.microsoft.com/support/downloads/ 
dp3267.asp . Click the upgradefile, msdunl3.exe, then follow 
the instructions on your screen to download the file. 

2. Install the upgrade, then reboot your PC. 
Required Information 

Installing and configuring the VPN Client software for the first 
time requires that you have account information from your 
network administrator. 

Depending on how your network administrator has configured 
your network, only some of the following information may be 
required: 

• User name 

• Certificate name 

• Certificate challenge phrase 

• Certificate authority name 

• Certificate authority IP address 

• Peer host name 

• Peer IP address 
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• Peer challenge phrase 

• Target network IP address and subnet mask 

• An account configured on a RADIUS server, if necessary 

• An account configured with SecurlD or SecurelD Software 
Token's AC E/Server, if necessary 

• An account configured for E ntrust, if necessary 
Software Version Compatibility 

The Hewlett-Packard Company strongly recommends that you 
use Release 6.8.2 of all VPN software. 

Before installing the VPN Client, you may want to read some 
background information to become familiar with firewalls and 
encryption terminology that you are likely to encounter when 
using this product. Refer to the Hewlett-Packard Company 
Virtual Private Networking Concepts Guide, on the software CD- 
ROM. 



Next Step Installing VPN Client (page 5-3) 
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Installing VPN Client 

In this section, you install VPN Client on your PC. 

Note: All network adapters to be secured using the VPN Client 
must have TCP/IP bound to them before installation. 

Steps To install VPN Client on your PC: 

1. Quitall applications. 

2. Place the CD-ROM into your computer's CD-ROM drive. 

3. I n the Start menu, select Run. 

4. In the Run window, select Browse and select your 
computer's 

CD-ROM drive (for example, E:\). 

5. Select setup.exe and click OK. 

6. In the Run window, click OK. 

7. Select Yes to accept the displayed License Agreement. 
The User Information Window appears. 

8. E nter your name and the name of your company. Select N ext 
to continue. 

The Choose Destination Location window appears. 

9. Enter the location where you want VPN Client to be installed 
or select Next to accept and use the default folder location. 

The Select Program Folder window appears. 

10. E nter the name you want to have appear under the desktop 
icon and in the program folders list, or select Next to accept 
and use the default name. 

The User Configuration Disk pop-up window appears with 
the following question: 

Have you been provided with a User Configuration disk? 

11. Unless your system administrator gave you a disk with the 
VPN Client configuration on it, select No. 

12. In the Maximum number of WINS capable tunnels field, 
select the maximum number of concurrent Windows 
Internetworking Services (WINS) enabled tunnelsyou want 
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the VPN Client to make available by accepting the default 
value of 2 or entering another number of tunnels you want. 

The maximum number of tunnels isfour. 

13. Select Next to continue. 

The User Configuration Files window appears. 

14. Specify the location where you want to save future User 
Configuration files. Click Browse to select an alternate 
location. 

15. Select Next to continue. 

The VPN Client software is installed on your computer. 

After the VPN Client is installed, the following question 
appears: 

Do you want the VP N C I ient to start automatical ly every ti me 
Windows restarts (recommended)? 

16. Select Yes to have the VPN Client start each time you reboot 
Windows or select No to have manual control over starting 
the VPN Client. 

Note: You cannot undo this option once the VPN Client is 
installed. To undo this operation, you must reinstall the VPN 
Client. Reinstalling the VPN Client does not remove any 
configuration parameters you have saved to file. 

You are asked whether you want a shortcut for the VPN 
Client placed on the desktop. 

17. Select Yes to create a shortcut or select No to continue 
without creating a shortcut. Follow the directions in the 
window to complete the installation. 

Note: You must restart your computer after you install the 
VPN Client. If you do not restart your computer, you cannot 
use the VPN Client as the virtual network interface card. 



Next Step Configuring the VPN Client Software for a Basic Tunnel (page 5- 

5) 
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Configuring the VPN Client for a Basic 
Tunnel 

I n this section, you configure the VP N C lient software for a basic 
tunnel. 

Steps To configure a basic tunnel: 

1. In the Start menu, select Programs, then HP SA3000 VPN 
Software, then VPN Client. 

The VPN Client Logon window appears. 

The first time you run VPN Client after installing it on your 
computer, you are prompted for a user name and password. 

2. Enter your user name and password in the window that 
appears. 

Note: The password is one that you make up, and is used 
only for the purpose of running the VPN Client the first time. 

3. In theTunnels menu, select New. 
The General Tab appears. 

Note: Set up your authentication method now, unless you 
are using a SecurlD or RADIUS authenticated security pro- 
file. 

4. Enter the tunnel name. 

This name is a unique descriptor that you choose. For 
example, QA Lab Tunnel. 

5. E nter a group name, if necessary. 

This group name is provided by your network administrator. 

6. Select the adapter (Dial-up networking, Ethernet, and so on) 
that you want the tunnel to apply to. 

7. Select the type of tunnel you want to use. 

You can choose from a Shiva Smart Tunnel (SST) or an IP Sec 
tunnel. 

8. Click Add to add a VPN device/Tunnel Server name and IP 
address. 
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9. Enter Peer IP and Peer Name in the corresponding fields and 
click OK. 

10. Select Enable WINS/DNS via VPN deviceand click OK. 
You now have created a basic VPN tunnel. 

For more information on configuring advanced features of the 
VPN Client, see the online Help file within the VPN Client 
software. 
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1 Supplementary Procedures 

This chapter contains supplementary procedures, which are 
done occasionally, as required. This chapter gives instructions 
for the following supplementary procedures: 

• Installing or replacingtheX. 21 or V. 35 serial card intheVPN 
device 

• Using the copy command (TFTP) 

• Capturing a terminal emulation session as text 

• Viewing a terminal emulation session 

• Deleting the current VPN device configuration 

• Reconfiguring the VPN device 

• Viewing the IP configuration 

• Using Tel net 
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Installing or Replacing the X. 21 or V.35 
Serial Card in the VPN Device 

This section explains how to install or replace the X.21 or V.35 
serial card in your HP VPN Server Appliance SA3400/SA3450, 
and covers the following topics: 

• Hardware requirements 

• Safety precautions 

• Backing up your configuration file 

• Removing the cover of the VPN device 

• Installing/replacing the X.21 or V.35 serial card 

• Closing and securing the cover of the VPN device 

• Reconfiguring the VPN device 

• Restoring the configuration 



Hardware Thissection lists the hardware requirements for installing the 

reauirementS x ' 21 or V ' 35 serial carcl int0 y° ur HP VPN Server Appliance 

M SA3400/SA3450. 

You need the following hardwareto install theX. 21 or V.35 serial 
card into your VPN device: 

• VPN device 

• X.21 or V.35 serial card 

• Phillips screwdriver 

• Disposable grounding wrist strap 



Safety WARNING: Turn the power off, disconnect the power cable, 

Precautions ancl disconnect all other cables before you perform this proce- 

dure. Do not reattach any cables until you replace the cover of 
the unit chassis and tighten the cover screws on the chassis. 

CAUTION: Attach the disposable grounding wrist strap to your 
wrist and an exposed portion of the chassis, as indicated in the 
instructions on the wrist strap packaging. 

Note: Refer to the Regulatory Statements document included 
with your serial card for detailed information on installing the 
serial card. 
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BackingUpYour 

Configuration 

File 



When you modify the VPN device's internal hardware by 
installing or replacing the X. 21 or V.35 serial card, you lose your 
device's existing configuration file (ISBR.cfg). 

The Hewlett-Packard Company recommends that before you 
modify the VPN device's internal hardware, you back up the 
ISBR.cfg file. You can use the VPN Manager or the TFTP copy 
command to back up the ISBR.cfg file. 

After you install or replace the X.21 or V.35 serial card, you can 
preserve all the advanced settings in your old ISBR.cfg file by 
combining itwiththenew ISBR.cfg file. See the final topic in this 
section, "Restoring the Configuration," for complete instructions 
on restoring your original configuration's settings. 



Removing the 
Cover of the 
VPN Device 



To remove the cover of the VP N device: 

1. Loosen and remove the six cover screws located on the sides 
and rear of the unit chassis. 

2. Remove the top cover of the VPN device. 



Installing or 
Replacing the 
X.21 or V.35 
Serial Card 



To install or replace the X.21 or V.35 serial card: 

1. Remove the screw that holds the Ethernet card in place in 
the slot labeled El. 

2. Push the X.21 or V.35 serial card into the connector, and 
ensure that it is firmly seated. 

3. Replace and tighten the screw back into place, so that it 
firmly holds the X.21 or V.35 serial card. 



Closing and 
Securing the 
Cover of the 
VPN Device 



To replace the cover of the VPN device: 

1. Lower the top cover of the chassis, then slide itforward. 

2. Replace and tighten the two rear screws first, to ensure 
proper alignment. 

3. Replace and tighten the remaining four screws on the sides 
of the unit chassis. 

4. Reconnect all the cables, including the power cable, to the 
unit chassis. 
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Reconfiguring 
the VPN Device 



To 



reconfigure your VPN device: 



1. Configureand runyourterminal emulation program (such as 
HyperTerminal) to create an active console session. 

The VPN device recognizes a changed configuration and 
prompts you to reboot the device. 

2. Press Enter to reboot the device. 

The VPN device reboots and displays its Manufacturing 
Mode Main menu: 

1. Configuration 

2. Self-diagnostics test 

3. User-diagnostics test 

4. Burn-in traffic tests 

5. Final Assembly and Serializations 

3. In the Main menu, select configuration. 

A new menu appears with two options: lan and wan. 

4. In the menu, select wan. 

5. In the Main Menu, Select Final Assembly and 
Serializations. 

The device asks: Is there an Access Pro 
Installed? Please confirm (y/n) 

6. Enter n. 

The device prompts: Enter the serial no: 

7. E nter the serial number of your device (located on the rear 
side of the chassis directly beneath the handle). 

The device prompts: Please confirm (y/n) 

8. Enter y. 

The device prompts: Do you want to reboot... 

9. Enter y. 

The device prompts: Please confirm (y/n) 

10. Enter y. 

The VPN device reboots into production mode, whereby the 
License Agreement appears. Follow the instructions in this 
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Restoring the After you install or replace the X.21 or V.35 serial card in your 

Configuration VPN device, you need to again create the basic configuration file 
" ' of the device. 

To restore your advanced configuration settings that you saved 
in your existing I SB R.cfg file, you need to open your old ISBR.cfg 
fileand copy and paste the sections you want to retain into your 
newly created configuration in your Console window. 

To create the new configuration file and restore the advanced 
settings of your saved ISBR.cfg file: 

1. Follow the instructions in this Hewlett-Packard VPN Server 
A ppliance SA 31 1 0/SA 3150/SA 3400/SA 3450 Installation G uide 
in Chapter 3 in the section entitled "Setting Up a Basic 
Routing Mode Configuration on a New Device." Begin with 
the subsection entitled "Establishing an Initial Session." 

2. Follow the instructions in the subsection entitled "Running 
the Setup Script." 

3. Using a text editor such as Microsoft Notepad, open your 
previously saved ISBR.cfg file. 

4. Copyand paste the sections of yourold I SB R.cfg filethat you 
want to retain into your Console window. 

This combines the advanced configuration settings of your 
previous ISBR.cfg filewith your newlycreated configuration 
file. 
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Using the Copy Command (TFTP) 

TheTFTP (Trivial File Transfer Protocol) copy command 
transfers a file to or from a TFTP server. The copy command 
can be used to upgrade firmware. Also, the copy command can 
be used to back up or restore configuration files. 

This transfer retains passwords and displays them in clear text. 

This section tells you how to copy new or modified 
configuration files from the computer running the TFTP server 
to the VPN device. 



Steps To use the TFTP copy command: 



1. Write or edit the isbr.exe and lrvg.exe files in a plain text 
editor, such as Notepad. 

2. Ensure the source computer has a TFTP daemon running. 

3. Install the isbr.exe and lrvg.exe files on your TFTP server. 

4. Open the Console window. 

See "Preparing to Configure a New VPN device" in Chapter 3. 

5. In the Console window, enter: 

copy from <ip address of the source computer with the 
TFTP daemon running> isbr.exe 

The isbr.exe file is transferred immediately from the 
computer to the VPN device. 

Note: If you copy a new version of an existing file to a VPN 
device, the device overwrites the existing file without any 
warning prompt. 

6. In the Console window, enter: 

copy from <ip address of the source computer with the 
TFTP daemon running> lrvg.exe 

The lrvg.exe file is transferred immediately from the 
computer to the VPN device. 

7. From the Console window or the VPN Manager window, 
issue a reboot command to the device, then press E nter. 

You are prompted to confirm your reboot command. 

8. To confirm your reboot command, enter y. 
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The device reboots and the new settings take effect upon 
restart. 
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Capturing a Terminal Emulation Session 
as Text 

This section tells you how to use a terminal emulation program 
such as HyperTerminal to capture a console session with a VPN 
device as a text file. 



Prerequisite You must have configured a console window before using it for 

text capture. See "Preparing to Configure a VPN device" in 
Chapter 3. 

Steps To capture a console session as a text file for later review: 

1. At your desktop, double-click the Console icon. 
The Console-HyperTerminal window appears. 

2. In the Transfer menu, select Capture Text. 
The Capture Text window appears. 

3. Accept the default folder location and file name, or browse 
to select a new location and enter a new file name in the File 
field. 

4. To start capturing the session, click Start. 

You return to the Console-HyperTerminal window. 

5. To minimize the HyperTerminal screen and leave the 
program running, click the Minimize icon. 

You return to your desktop. 

6. To close the program, in the File menu, select Exit. 
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Viewing a Terminal Emulation Session 

This section tells you how to view a previously recorded terminal 
emulation session. 

Steps To view a previously recorded terminal emulation session: 

1. Open Notepad (or similar text editor). 

2. In the Start menu, select Programs, then Accessories, then 
Notepad. 

3. In the File menu, select Open. 
The Open window appears. 

4. In the list box, select the desired session. 

5. Click Open. 

You return to the Notepad window. The selected 
HyperTerminal session appears. 
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Deleting the Current VPN Device 
Configuration 

This section tells you how to delete the current VPN device 
configuration and restore the factory defaults. 

Steps To delete the current VPN device configuration: 

1. At your desktop, double-click the HyperTerminal icon. 
The Console HyperTerminal window appears. 

2. Press Enter three times. 

This causes HyperTerminal to send a handshake to the VPN 
device attached to COM port N on your PC. 

When you receive a response from the device, a name-and- 
state prompt similar to the following example appears on the 
screen: 

namevpn : NORMAL> 

3. At the name-and-state prompt, enter enable. 
A password prompt appears. 

4. At the password prompt, enter your VPN device password. 

As you hit E nter, a row of stars appears. 

When the VPN device accepts the password, the word 
Passed appears on the screen. 

5. The name-and-state prompt appears again: 

namevpn : NORMAL# 

6. At the name-and-state prompt, enter show dir. 
A directory listing for the VPN device appears. 
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Restoring the VPN Device Configuration 

This section tells you how to restore the VPN device 
configuration to near-factory default condition, by deleting these 
four files: 

• isbr.cfg 

• safe.cfg 

• Irvg.acl 

• safe.acl 

Steps To delete these four files, and restore the VPN device 

configuration to near-factory default condition: 

1. At the name-and-state prompt, enter del filename where 
filename equals the filename.extension of the first fi le to 
be deleted. 

The specified file is deleted immediately. The name-and-state 
prompt reappears. 

2. Repeat the previous step to delete the remaining three files. 

3. At the name-and-state prompt, enter show dir. 

A refreshed directory listing for the VPN device appears. 
Ensure that the deleted files no longer appear in the list. 

4. Leave the terminal emulation program by entering exit. 

The VPN device is restored to near-factory default condition 
while retaining the existing passwords. 
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Viewing the IP Configuration 

This section tells you how to use your computer's operating 
system to identify the I P address of your computer's interfaces. 

Steps To view your I P configuration: 

1. In the Start menu, select Programs, then the MS-DOS 
prompt. 

The M S-DOS prompt appears. 

2. At the c : \ prompt, enter one of the following: 

• winipcf g for Windows 95/Windows 98 (GUI) 

• ipconf ig for Windows NT/Windows 2000 (text only) 

• either winipcf g or ipconf ig for Windows 98 
The basic IP Configuration window appears. 

3. Accept the default adapter that appears, or in the Ethernet 
Adapter drop-down menu, select another one. 

4. Click More I nfo». 

The expanded IP Configuration window appears. A 
description follows. 

I P Configuration The IP Configuration window has three parts: 
Window • Host Information 

• Ethernet Adapter Information 

• Command buttons 

Host Information 

The Host Information area displays the following information 
for review only: 

• Host Name, showing the name of your host computer, that is, 
thecomputer atwhich you areworking 

• DNS (Domain Name Service) Servers, showing the IP 
address of the DNS server on your network; to step through 
the DNS servers available on your network, click on the 
Lookup icon to the rightof the DNS servers text Node Enter, 
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showing the node enter of your host computer, for example, 
hybrid 

• NetBIOS Scope Id, showing the identification of the NetBIOS 
(Network Basic Input/Output System) scope, if any 

• IP Routing Enabled, showing IP routing isenabled when 
checked; disabled when clear 

• WINS Proxy Enabled, showing WINS (Windows Internet 
Naming Service) proxy routing is enabled when checked; 
disabled when clear 

• NetBIOS Resolution Uses DNS, showing the NetBIOS 
resolution uses the DNS when checked; does not use it when 
clear 

Ethernet Adapter Information 

The Ethernet Adapter Information area allows you to select 
installed Ethernet adapters in the Ethernet Adapter drop-down 
menu. The information in the text boxes changes to reflect this 
selection. I nformation appears for review only: 

• Adapter Address, showing the hardware address of the 
adapter card; six two-digit hexadecimal characters 
separated by hyphens 

• IP Address, showing the IP address of the adapter 

• Subnet Mask, showing the subnet mask of the adapter 

• Default Gateway, showing the IP address of the default 
gateway of the adapter 

• DHCP Server, showing the IP address oftheDHCP (Dynamic 
Host Configuration Protocol) server for the adapter 

• P ri mary WINS Server, show i ng the I P address of the pri mary 
WINS (Windows Internet Naming Service) server for the 
adapter 

• Secondary WINS Server, showing the IP address of the 
secondary WINS (Windows Internal Naming Service) server 
for the adapter 

• Lease Obtained, showing the date and time the lease began 
for the temporary I P address issued from the pool (this lease 
actually is measured in seconds, but appears in larger units 
of time) 
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• Lease Expires, showing the date and time the lease ends for 
the temporary I P address issued from the pool 

Command Buttons 

The IP Configuration window has the following command 
buttons: 



Button 


Function 


OK 


Lets you close the window and apply the 
configuration parameters shown 


Release 


Releases the current TCP/IP binds for the 
displayed adapter only so that a new stack 
can be created 


Renew 


Renews the current TCP/IP binding for the 
displayed adapter only 


Release All 


Releases the current TCP/IP bindings for all 
adapters so that a new stack can be created 


Renew All 


Renews the current TCP/IP binding for all 
adapters 
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Using Telnet 

This section tells you how to specify a remote connection using 
Telnet. 

One of the TCP/IP suite of protocols, Telnet provides virtual 
emulation across the Internet. Using IP as its transport 
mechanism, Telnet is received on application port number 23. 
Telnet provides a way to check device configuration in addition 
to using VPN Manager. 

Note: Telnet is supported only on red (private) interfaces. 

Steps To specify a remote connection using Telnet: 

1. I n the Start menu, select Run. 
The Run window appears. 

2. In the Open field, enterteinet, then the IP address of the 
red (private) interface of the VPN device. 

The Telnet window appears. 

3. I n the Connect menu, select Remote System. 
The Connect window appears. 

4. In the Host Name drop-down menu, select a previously used 
host name, or enter the name or I P address of the VP N device 
to which you want to telnet in the Host Name field. 

5. I n the Port field, accept the default display of telnet, or in the 
Port drop-down menu, select another connection port. 

6. I n theTermE nter field, accept the default display of vtlOO, or 
in the TermE nter drop-down menu, select another terminal, 
then press E nter. 

7. To open Telnet, from the Start menu, select Run, then Tel net. 
The Run window appears. 

8. In the Open field, enter mstelnet.exe. 

9. Click OK. 

The Telnet window appears. 

10. I n the Termi nal menu, select P references. 
The Preferences window appears. 
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11. Select the VT 100 arrows check box, then click OK. 
You return to the Connect window. 

12. Click Connect. 

A Password prompt appears on the screen. 

13. Enter the enable password. 

A row of asterisks (*) appears as you enter your password. 

The status Passed appears. 

Information concerning the device to which you are 
connected appears. 

You are provided with the command line prompt of the 
destination host. 
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■ Appendix — Network Infrastructure 
Checklists 



This appendix provides: 

• Checklist tables for you to complete, to gather network 
information that you need, before you install your VPN 
device 

• A Port Combinations table to provide the ports you must 
use through any firewall that is in front of a VPN device, 
depending upon which protocols you support on your 
corporate network 

C o m pi ete the f o 1 1 o w i ng c hec k I i sts bef o re yo u i nstal I the VP N 
device. 



Checklist 


Task 


Router Checklists 


You provide each router's 
manufacturer, model, operating system, 
IP address, and subnet mask. 


Firewall 
Checklists 


You provide the firewall's 
manufacturer, type, and version. Also 
specify the IP addresses. 


Internal Network 
Checklists 


You provide the IP addresses, subnet 
masks, and protocols on your internal 
network. 


Authentication 
Checklists 


You provide authentication method and 
IP address of authentication server. 



ThePortCombinationstableattheend of thisappendix provides 
the ports you use, depending upon which protocols you support 
on your corporate network. 
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Router Checklists 

The router checklists ask for information about the external 
router that connects your network to the I nternet. 

Complete the following router checklists: 

• Router classification 

• External router IP address and subnet mask 

• Filter information 

• VPN device address and subnet mask 

Router If you are using an external router, specify the following 

Classification information. 



Router 

Manufacturer 


Router Model 


Operating System 
and Version 
Currently Used 





















External Router Specify your router's IP addresses and subnet masks. 

IP Address and 
Subnet Mask 



Interface 


IP Address 


Subnet Mask 


Internal 






External 






Additional Interface 1 






Additional Interface 2 
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Filters 



Determine if your existing router has filters. Do you plan to apply 
the filters to the incoming and outgoing traffic in the VPN 
device? 



Yes 


No 







VPN Device IP 
Address and 
Subnet Mask 



Assign the IP addresses and subnet masks to the VPN device that 
you plan to use as a router. If you plan to use the VPN device for 
a bridge, assign the same IP address and subnet mask to both 
interfaces. 



Interface 


IP Address 


Subnet Mask 


EO 






El 






SO 






SI 
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Firewall Checklists 

Firewall rules determine: 

• Who can communicate from the corporate network to the 
Internet, and who can communicate from the Internet to the 
corporate network (by their IP addresses and subnet masks) 

• What specific applications any individual user may access 

With unrestricted access, a user's I P address and subnet mask is 
0.0.0.0, and the user can gain access to any application (http, ftp, 
and so on). 

The outbound and inbound firewall checklists ask for IP 
addresses, subnet masks, and the applications each user can 
access. 

Outbound Complete the following outbound and inbound firewall access 

Firewall Access rights checklists: 

Rights 



Outbound 
Users 


IP Address 


Subnet Mask 


Accessible 
Applications 
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Inbound 
Firewall Access 
Rights 



1 nhminH 
1 IIUUUIIU 

Users 


IP Address 


Subnet Mask 


A rrocci hlo 

MCCebbllJIc 

Applications 
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Using An Existing Firewall 

If you are using an existing firewall, you need to ensure that you 
do not duplicate any of its IP addresses with those that you 
provide to your new VPN device. 



Existing Provide the manufacturer, type, and version of your existing 

Firewall firewall in the following table. 

Information 



Firewall 
Manufacturer 


Firewall Type 


Firewall 
Version 


Can Firewall 
PassUDP 
Traffic? 
Yes/No 











Firewall Provide the IP addresses of the interfaces on your existing 

Interface firewall. 
Addresses 



Interface 


IP Address 


Internal 




External 




Additional 1 




Additional 2 
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Internal Network Checklists 



The internal network checklists pertain to how traffic is routed 
through your internal network. 



Internal Default 
Router 



Determine if your current network topology includes an internal 
default router. If yes, provide the IP address and subnet mask. 



IP Address 


Subnet Mask 







LAN Cables and 
Connectors 



The VPN device includes two RJ-45UTP female connections. 
Provide the physical type of your LAN: 



Provide the types of cables and connectors it requires in the 
following table. 



Connectors or Cables 


Required? 
Yes/No 


lOBaseT/UTP 




lOOBaseTX/UTP 




10Base2/thin Ethernet (transceiver 
required for interface) 




10Base5/thick Ethernet 
(transceiver required for interface) 





WAN Cables and Provide the physical type of your WAN : 

Connectors 
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Provide the types of cables and connectors it requires in the 
following table. 



Connectors or Cables 


Required? 
Yes/No 


V. 35 serial interface for Frame 
Relay 




X.21 serial interface for dedicated 
leased lines 




DTE or DCE adapter cable 





Note: To select the correct adapter cable, you must know 
whether the VPN device is being connected to a DTE or DCE 
device (see next section). 



Adapter Cable Devices that communicate over serial devices are either Data 

Terminal Equipment (DTE) or Data Communications 
Equipment (DCE) devices. DCE devices supply the clock signal 
to pace the communications. 

The VPN device is itself a DTE device. Follow these rules to 
choose which type of adapter cable to use, and see the following 
illustration: 

• If connecting the VPN device to a Data Service Unit/ 
Channel Service Unit (DSU/CSU device with a DCE 
interface, use a DTE adapter cable. 

• If connecting the VPN device to a DSU/CSU device with 
a DTE interface, use a DCE adapter cable. 

• If you connect the VPN device in frame relay bridge 
mode, it connects a frame relay device (having a DTE 
interface) with a DSU/CSU (having a DCE interface). 
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VPN Device 

(DTE) 




DSU/CSU 

(DCE) (DTE) 




Frame Relay Device 

(DCE) 

















DTE Adapter Cable 



DCE Adapter Cable 



This allows the VPN device to encrypt frame relay traffic 
before it is sent out on the frame relay network. 

In this configuration, you connect the VPN device to one port 
of the serial card with a DCE cable, and you connect the 
other serial card port to the DSU/CSU with a DTE cable. 

Provide the type of adapter cable required (DTE or DCE): 



Internal 
Network IP 
Addresses and 
Subnet Masks 



Provide the IP addresses and subnet masks of your internal 
network in the following table: 



IP Addresses 


Subnet Masks 
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IP Addresses 


Subnet Masks 























Network Provide the protocols you run on your network in the following 

Protocols table: 



Protocols 


Yes 


No 


TCP/IP 






IPX/SPX 






NETBEUI 






AppleTalk 






Other 
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Authentication Checklists 

To set up authentication for the VPN device, complete the 
following checklists: 

• Authentication types 

• I P address and port for certificate authority (if applicable) 

Determine which authentication methods to use, and provide 
this information in the following table. You may use a 
combination of authentication applications for remote users and 
site-to-site connections. If you use a third-party authentication 
method, specify the version number. 



Security Type 


Version 


Remote 
Users 


Site-to- 
Site 


Certificate Authority 


N/A 






Challenge Phrases 


N/A 






SecurlD 








RADIUS 








NT Domain 








Other 1 








Other 2 









Authentication 
Types 
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Port Combinations Table 

The following protocol and port combinations must be opened 
through any firewall that is in front of a VPN device. 



Protocol 


Destination Port 


Source 
Port 


Actions 


UDP 


In: 2233 


All 


These data packets 




Out: 2233 


All 


are encrypted. 








They must be 








allowed through 








the firewall and 








should be directed 








to the device and 








no other 








destination 








aooress. 


UDP 


In: 10025 
Out: 10025 


All 
All 


These packets are 
encrypted 
management 
packets between 
the HP SA3000 
Series VPN 
Manager and the 
VPN device. You 
should not open 
this firewall rule 
unless the VPN 
Manager is running 
outside the 
firewall. 
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Protocol 


Destination Port 


Source 
Port 


Actions 


UDP 


In: 10026 
Out: 10026 


All 
All 


These are 
encrypted statistics 
packets bound for 
the VPN Manager. 
You should not 
open this firewall 
ruleunlesstheVPN 
Manager is running 
outside the 
firewall. 


UDP 


In: 10027 
Out: 10027 


All 
All 


These packets are 
certificate requests 
between the 
certificate 
authority server 
and a VPN device 
or HP client. 
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